cloudflare bulletproof spammer hosting?

[mMerlin]

A search here shows an old topic about cloudflare not being responsible for spam from and about sites that normal reporting points to them. And another about joe jobbing of sites they host. However ..,

Almost all of my 'normal' spam for the past few days has been showing links to sites that report to (disabled) abuse[at]cloudflare.com. Some with the email source pointing there too.

That includes spam that is attempting to use the links to collect more information, and sell me 'junk'. Has the manager or the botnet that spews most of my spam shifted their hosting to cloudflare? Is it time / possible to find some other place to report these?

Examples (with guid style suffixes removed)

http:/ /bccdui.com

http:/ /cottage-bb.com

http:/ /banksville.net

http:/ /dcdzine.com

http:/ /escape-tour.com

http:/ /fmuae.com

http:/ /camcoomya.com

Suggestions?

Edited by SteveT (turetzsr) to break the URL links.

[petzl]

A search here shows an old topic about cloudflare not being responsible for spam from and about sites that normal reporting points to them. And another about joe jobbing of sites they host. However ..,

Almost all of my 'normal' spam for the past few days has been showing links to sites that report to (disabled) abuse[at]cloudflare.com. Some with the email source pointing there too.

That includes spam that is attempting to use the links to collect more information, and sell me 'junk'. Has the manager or the botnet that spews most of my spam shifted their hosting to cloudflare? Is it time / possible to find some other place to report these?

Examples (with guid style suffixes removed)

http:/ /bccdui.com

http:/ /cottage-bb.com

http:/ /banksville.net

http:/ /dcdzine.com

http:/ /escape-tour.com

http:/ /fmuae.com

http:/ /camcoomya.com

Suggestions?

Edited by SteveT (turetzsr) to break the URL links.

Botnet static (joe job)

The sites are suspicious but "innocent"

http://www.spamcop.net/sc?id=z5911914157z8...46721665405a89z

in notes I have a boiler plate to add to SpamCop report

The bits in RED I added to my boilerplate

14.96.170.206 (Administrator of network where email originates)

BOTNET ATTACK HOST

http://cbl.abuseat.org/lookup.cgi?ip=14.96.170.206

BLOCK OUTBOUND PORT 25,

RESERVE FOR LEGIT EMAIL SERVER

CHANGE TO SECURE PASSWORD

SCAN INFECTED COMPUTER FOR MALWARE

http://spamcop.net/w3m?action=checkblock&ip=14.96.170.206

Other hosts in this "neighborhood" with spam reports

14.96.170.112 14.96.170.181 14.96.170.224 14.96.171.22 14.96.171.49 14.96.171.156 14.96.171.165

[mMerlin]

Botnet static (joe job)

The sites are suspicious but "innocent"

Which would be fine if the sites were innocent (for values of). These sites belonged with the spam. Same pattern / structure of emails I get all of the time, with random (bot net and open proxy) sources, and moving urls. The difference is now almost all of the urls are pointing to sites that are owned / hosted / managed [whatever] by cloudflare.

I suppose the spam emails could have been collected (not like they are rare or anything), and sent again from a joe job botnet with adjusted urls. Given that the urls all look 'personalized' with identifier guid, I do not want to go exploring the links to see if they really match with the spamvertized content. I tried some munged variations, but got nothing useful.

[petzl]

Which would be fine if the sites were innocent (for values of). These sites belonged with the spam. Same pattern / structure of emails I get all of the time, with random (bot net and open proxy) sources, and moving urls. The difference is now almost all of the urls are pointing to sites that are owned / hosted / managed [whatever] by cloudflare.

I suppose the spam emails could have been collected (not like they are rare or anything), and sent again from a joe job botnet with adjusted urls. Given that the urls all look 'personalized' with identifier guid, I do not want to go exploring the links to see if they really match with the spamvertized content. I tried some munged variations, but got nothing useful.

The sites I looked at are criminal. But don't believe they are "with" the botnet

A while ago this botnet was framing a stolen credit card site/s

could be a "loose cannon" gibbering?

[n4af]

It seems to me the CF is doing a better job. I have not seen any criminals hiding behind them for the last week of spam (at least not here).

Now, what to do about hosting RIGHTSIDE.CO AND OVH.CA They host 95% of all spam sites rcvd here.

Howie

[petzl]

It seems to me the CF is doing a better job. I have not seen any criminals hiding behind them for the last week of spam (at least not here).

Now, what to do about hosting RIGHTSIDE.CO AND OVH.CA They host 95% of all spam sites rcvd here.

Howie

Not sure about "RIGHTSIDE.CO"

OVH.CA are spam friendly help if you include a SpamCop track to get better advice

OVH have a report site here but I find it not helping

http://www.ovh.com/fr/support/documents_le...nu_illicite.cgi

If it is a porn site spam I include this boiler text makes OVH complacent in Child Porn

Child porn spammer

pictures under 18 or made to look under 18

PORN SPAMMER uses hacked web and email accounts

Change log-on to a more secure password!

Scan for Malware!

[hank]

very, very tired of Cloudflare spam.

Cloudflare was in the news recently for disclosing to alt-right sites the identity of people who complained about the nazi-type stuff they send out through Cloudflare. 

https://www.propublica.org/article/how-cloudflare-helps-serve-up-hate-on-the-web

This is one example why Spamcop ought to be working to do better at removing all the personal identification material including the unique tracking strings the spammers use, to protect people who complain.

[Morg2]

I note that Cloudflare has been a spam haven  problem for years now.  But just like Hank, I am very very tired of them.  In the last 2 months almost all my spam (like, 20 a day) has come from Limestone Networks, and referenced stuff at Cloudflare.  And weirdly, at least half of the clickbait subject lines are "Hitler's last words".  Gee.  Little did I know that they had Youtube back when Hitler died.  And I sure don't know why anyone at all would be interested in what it go-pro'd on him.  But apparently someobody thinks that this line will be the one that causes people to give away their identities to some internet criminal. 

[groupboard]

It seems to have suddenly become a major problem in the last week or so. Now about 90% of our spam is hosted through cloudflare. Reporting the spams doesn't help -- the domains are never removed from cloudflare. Cloudflare themselves don't really seem to give a crap...lots of people complaining to them on twitter, but they don't seem to care. They just say they're not hosting it, and direct people to report it via the web form (which they then just ignore).

I just implemented a change to our spam filter yesterday, which has completely resolved the issue: I now block all emails coming from domains registered less than 7 days ago. (I don't specifically check for hosting on cloudflare, as this should kill spams from elsewhere as well). If anyone wants the perl function, let me know.

[groupboard]

Cloudflare spam is a problem again, because the main spammer ("James Wilson") who is sending 99% of our inbound spam through cloudflare domains is now using older domains rather than day-old ones. The solution seems to be to put a 15 minute delay into our spam filter if it is a cloudflare-hosted domain ("whois $domain | grep -i cloudflare" returns 0). This gives the ip address time to show up on the various blacklists.